badblocks again

I decided to run badblocks again. This time I measured how long it took:

% time sudo badblocks -wvs /dev/sdc
Checking for bad blocks in read-write mode
From block 0 to 1953514583
Testing with pattern 0xaa: done
Reading and comparing: done
Testing with pattern 0x55: done
Reading and comparing: done
Testing with pattern 0xff: done
Reading and comparing: done
Testing with pattern 0x00: done
Reading and comparing: done
Pass completed, 0 bad blocks found.
sudo badblocks -wvs /dev/sdc  13368,87s user 13223,29s system 1% cpu 417:38:54,64 total

417 / 24 = 17+ days…

Comments Off

badblocks

After reading this post on Planet Debian and having seen this in my server logs a couple of times:

ata5.00: exception Emask 0x0 SAct 0x1 SErr 0x0 action 0x0
ata5.00: irq_stat 0x40000008
ata5.00: failed command: READ FPDMA QUEUED
ata5.00: cmd 60/20:00:80:e8:42/01:00:25:00:00/40 tag 0 ncq 147456 in
         res 41/10:00:b0:ea:42/00:00:25:00:00/65 Emask 0x481 (invalid argument) 
ata5.00: status: { DRDY ERR }
ata5.00: error: { IDNF }
ata5.00: configured for UDMA/100

I determined that it was time to get some new disks for the server and ordered two Western Digital Caviar Red 2TB. After installing the first one in the server I started badblocks (8) as recommended in the post above. That was 18 days ago. The process finished yesterday…

We’ll see if I’ll do the same with the other disk. I’m currently waiting for the raid to be rebuilt before installing the second HDD.

Comments Off

Subversion repository on diet

A couple of months ago I wrote a python module to alter a subversion dump file in various ways.

It has now been used on a large dump file to remove the svn:mergeinfo property from all paths except from the root of all branches and tags. This made the repository shrink from 400 GiB to a more backup and mirror friendly 50 GiB. In the process some carriage returns were removed from svn:externals and svn:log to make the load work without –bypass-prop-validation.

The simple skeleton in combination with the README on GitHub should get you started if you are interested in using it.

Comments Off

Transparent HTTP proxy in python

I recently wanted to modify a web resource that a device on my local network loads when starting. To avoid having a static local modified copy of the resource I wrote a simple transparent HTTP proxy in python using the Twisted networking engine (which btw was a joy to use) which does the modification when the resource is loaded. The code is not modular (e.g. the resource modification is hard coded in the processResponse() function) and the logging is very verbose, but if anyone is interested the code is available on github: transparent-proxy.git.

The proxy is now running on my local server which sits behind the real gateway. Besides making the device use the server as gateway and enable NAT on the server this single iptables rule is all that is needed:

iptables -t nat -A PREROUTING -s $CLIENT_IP -p tcp --dport 80 -j REDIRECT --to-port 8080
Comments Off

Saving energy

I just published a how to describing how I modified a Nexa plug-in to control a Tego Reco Master. The end goal is to be able to automatically lower the temperature in the house during the night and work days to save some energy.

I imagine only swedes may be interested in this so I wrote it in Swedish. If you want it in English, Google Translate is there to help.

Comments Off

SFTP only access to server

I recently installed a NAS server in my home and wanted to give my family and relatives access to it so that they could use it as a remote backup server for photos and stuff. To keep it as secure as possible I only wanted to give them SFTP access.

(All commands below are executed as root.)

First I created a group to group them together and then added the users to that group. I choose to disable their password as I only allow logins using SSH keys.

addgroup sftponly
# Repeat the line below for each user
adduser --disabled-password --ingroup sftponly ausername

As for the upload directory I wanted them to upload their data to my raid1 volume mounted under /data/pool1. Since OpenSSH has some requirements for the permission on the directories used as chroot I created the following directory layout.

cd /data/pool1
mkdir -m 751 sftp
ln -s . sftp/home
# Repeat the lines below for each user
mkdir -m 700 sftp/ausername
chmod ausername.root sftp/ausername

The home symlink is there to make the initial SFTP directory /ausername and the sftp directory is created with 751 to disallow directory listing in the top directory.

Then, as “all components of the pathname must be root-owned directories that are not writable by any other user or group” and /data/pool1 is not root owned I created a bind mount by adding the following to /etc/fstab.

/data/pool1/sftp  /srv/sftp  bind  bind  0  0

Before the initial mount, the directory must be created.

mkdir /srv/sftp
mount /srv/sftp

Then, the final part was to configure OpenSSH by adding the following lines at the end of /etc/ssh/sshd_config.

Match Group sftponly
  ChrootDirectory /srv/sftp
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Remember to restart the server afterwards.

Comments Off

Handelsbanken login now works on Linux

Thanks to the hard work done by the FriBID project I was today able to login to Handelsbanken (my bank) using the card reader connected to the computer. This by following the instructions on the FriBID wiki. Good stuff!

I’m using Ubuntu 11.10 on amd64.

Comments Off

Faster resume with (k)ubuntu Natty

After upgrading to Kubuntu Natty beta 1 the time for resuming (from RAM) my HP ProBook 6450b has improved significant. Previously I had to wait up to a minute until the wireless card was up and running and I had Internet access. Now it’s only a matter of seconds. My Linux laptop is now fully on par with my old Apple iBook when it comes to suspend/resume (the only area where it was previously lagging).

I can’t say for sure why it’s better now, but I like to think that it’s due to Broadcom’s full-source release of their wireless drivers. Thank you Broadcom!

Comments Off

ELF Auxiliary Vectors

Interesting article about ELF Auxiliary Vectors. Found it after reading a comment mentioning AT_SECURE in the LWN article about glibc vulnerabilities.

Comments Off

Getting Licq to build with pbuilder

I wanted to test that I had specified the correct Build-Depends in my Debian package of Licq 1.5.0-rc2. It seemed like the simplest way to do this was to create a personal builder installation and build the package in that chroot.

So I did:

sudo pbuilder create --debootstrapopts --variant=buildd

Building should then be as simple as executing:

git-buildpackage --git-builder=/usr/share/doc/git-buildpackage/examples/gbp-pbuilder --git-cleaner="fakeroot debian/rules clean"

Or it should have been that simple. Unfortunately the build failed with:

Fatal: no entropy gathering module detected

After some googling and testing; the fix was to add two random devices to the chroot:

sudo pbuilder login --save-after-login
mknod -m 666 /dev/random c 1 8
mknod -m 666 /dev/urandom c 1 9
chmod 666 /dev/null
exit

(The change of permission for /dev/null was needed to avoid getting errors later in the build process.)

Comments Off